Hey, Scripting Guy! How can I add a domain group to a local group?
Hey, DR. Before we begin today, any chance that we could borrow $5 billion, at least until the next payday? Admittedly, it’s not our habit to go around asking for money, especially an amount of money as big as that. However, we just learned this morning that the Weather channel (and its companion Web site, weather.com) are up for sale, and the asking price is expected to be around $5 billion. The Scripting Guys have already been burned once this year; when YouTube went up for sale we failed to make a bid on it, assuming that the YouTube folks would come to Redmond and beg for us to buy them out. We don’t want to make that mistake again.
Anyway, if you could spot us that $5 billion, DR, we would really appreciate it. And don’t worry, we’ll pay you back; after all, how long could it take for us to make $5 billion? Furthermore, as a gesture of good faith, we’ll – What’s that? Pay you interest? Give you Weather Channel shares? Well, sure, those are interesting proposals. But we had something different in mind: we were going to offer to give you, absolutely free, a script that adds a domain group to a local group. You know, a script like this one:
strComputer = "atl-ws-001" Set objLocalGroup = GetObject("WinNT://" & strComputer & "/TestGroup") Set objADGroup = GetObject("WinNT://Fabrikam/Finance") objLocalGroup.Add(objADGroup.ADsPath)
Before we begin we should note that this is a question we get asked quite a bit: How do I add a domain group to a local group? And usually we tell people, “That’s easy: you use the exact same approach used to add a domain user to a local group.” For some reason, however, no one ever seems to take that advice; instead they just keep asking the same question over and over again.
Note. Well, sure, we suppose that could be due to the fact that it’s next-to-impossible to find anything in the Script Center these days. We’d like to tell you that we are hard at work fixing that problem but let’s put it this way: the two Scripting Guys have problems keeping their offices neat and tidy; how do you expect people like that to get the entire Script Center cleaned up? Let’s just say that we’re aware of the problem, then pretend that that’s a good enough answer for everyone.
With that in mind, we decided to just go ahead and answer the question, without referring people anywhere else. How do you add a domain group to a local group? Well, to begin with, you assign the name of the computer where the local group resides to a variable named strComputer; in fact, that’s what we do in the very first line of code:
strComputer = "atl-ws-001"
Once that’s taken care of we next use the GetObject method and the WinNT provider to connect to that local group. In this case, that’s a group named TestGroup on the computer atl-ws-001:
Set objLocalGroup = GetObject("WinNT://" & strComputer & "/TestGroup")
All of that is easy; it’s the next part that fouls people up. In general, any time you connect to an Active Directory object (like a group) you use the LDAP provider; for example, this command binds you to the Finance Users group in the fabrikam.com domain:
Set objGroup = GetObject("LDAP://CN=Finance Users,OU=Finance,dc=fabrikam,dc=com")
Why do you do that? Because that way you have access to the scores of Active Directory attributes that can be assigned to the object. If you use the WinNT provider to bind to an Active Directory object (assuming that you can use the WinNT provider to bind to an Active Directory object; not all Active directory objects are accessible through the WinNT provider) you’ll only have access to a handful of attributes. For example, local user accounts feature less than 20 attributes; by contrast, Active Directory user accounts typically include 200 or more attributes.
That’s all fine and dandy, except for one thing: when you try to add a domain object to a local group you can’t use the LDAP provider to bind to the domain object. (We’ll exlain why in a second.) That’s why we said that in general you use the LDAP provider when connecting to Active Directory objects: there are exceptions.
Instead, you have to use the WinNT provider to bind to the Active Directory group. That also means that your ADsPath values must reference the computer (or domain) name followed by the user or group name. In other words, you need to use code similar to this:
Set objADGroup = GetObject("WinNT://Fabrikam/Finance")
Don’t feel bad; many people get confused by this. After all, they make the connection to the local computer just fine and then, using the LDAP provider, they make a connection to the Active Directory group as well. It’s only when they try to add the Active Directory group to the local group that the script fails. Why? Because when you bind to an Active Directory account using the LDAP provider you get back an ADsPath value similar to this:
Does that really matter? Yes, it does; after all, you need the ADsPath attribute in order to add a group (or user) to another group. For better or worse, however, the Security Account Manager (SAM) on the local computer has no idea what an Active Directory-style path like this means. CN=Finance Users? OU=Finance? The SAM doesn’t know what any of those things are, and so the SAM simply gives up without a fight.
Fortunately the workaround to this problem is simple enough: when you bind to the Active Directory group, use the WinNT provider and a Windows NT 4.0-styled path: domain/logon name. (The logon name is equivalent to Active Directory’s sAMAccountName attribute.) In other words, you need to connect to the domain group using this line of code, where Fabrikam is the short name of the fabrikam.com domain and Finance is the “logon” name of the Finance Users group:
Set objADGroup = GetObject("WinNT://Fabrikam/Finance")
That should do the trick. And once that’s done all you have to do is call the Add method, passing the value of the domain group’s ADsPath attribute as the sole method parameter:
And there you have it. Will that really add the domain group to the local group? Hey, have the Scripting Guys ever steered you wrong before?
We mean today: have the Scripting Guys ever steered you wrong today?
Well, OK, how about in the last 15 minutes? Raise your hands if the Scripting Guys have steered you wrong in the last 15 minutes.
Anyway, we hope that helps you, DR, and we hope that helps everyone else who keeps asking how to add a domain group to a local group. And you know, if everyone who has asked us that question would send in a dollar we’d be well on our way to raising that $5 billion we need to buy the Weather Channel.
Wait, check that; we forgot to carry the 1 when doing our division. Change that last statement to this: if everyone who has asked us that question would send in $267 million we’d be well on our way to raising that $5 billion we need to buy the Weather Channel. Act now, and we’ll name the first hurricane of 2008 after you. Guaranteed!